diff options
| author | Tom Christie | 2013-02-10 20:08:46 +0000 |
|---|---|---|
| committer | Tom Christie | 2013-02-10 20:08:46 +0000 |
| commit | baacdd821feece9c77ad74c25fd00842f47cfb84 (patch) | |
| tree | 5b6366543f4eb33322d010923eec005148028bf7 | |
| parent | 870f10486cd347480fb16d95647d1ca4a72d83d4 (diff) | |
| download | django-rest-framework-baacdd821feece9c77ad74c25fd00842f47cfb84.tar.bz2 | |
Add object permissions tests.
| -rw-r--r-- | rest_framework/tests/permissions.py | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/rest_framework/tests/permissions.py b/rest_framework/tests/permissions.py index a7777b57..26a34319 100644 --- a/rest_framework/tests/permissions.py +++ b/rest_framework/tests/permissions.py @@ -107,3 +107,49 @@ class ModelPermissionsIntegrationTests(TestCase): HTTP_AUTHORIZATION=self.updateonly_credentials) response = instance_view(request, pk='2') self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN) + + +class OwnerModel(models.Model): + text = models.CharField(max_length=100) + owner = models.ForeignKey(User) + + +class IsOwnerPermission(permissions.BasePermission): + def has_permission(self, request, view, obj=None): + if not obj: + return True + return request.user == obj.owner + + +class OwnerInstanceView(generics.RetrieveUpdateDestroyAPIView): + model = OwnerModel + authentication_classes = [authentication.BasicAuthentication] + permission_classes = [IsOwnerPermission] + + +owner_instance_view = OwnerInstanceView.as_view() + + +class ObjectPermissionsIntegrationTests(TestCase): + """ + Integration tests for the object level permissions API. + """ + + def setUp(self): + User.objects.create_user('not_owner', 'not_owner@example.com', 'password') + user = User.objects.create_user('owner', 'owner@example.com', 'password') + + self.not_owner_credentials = basic_auth_header('not_owner', 'password') + self.owner_credentials = basic_auth_header('owner', 'password') + + OwnerModel(text='foo', owner=user).save() + + def test_owner_has_delete_permissions(self): + request = factory.delete('/1', HTTP_AUTHORIZATION=self.owner_credentials) + response = owner_instance_view(request, pk='1') + self.assertEquals(response.status_code, status.HTTP_204_NO_CONTENT) + + def test_non_owner_does_not_have_delete_permissions(self): + request = factory.delete('/1', HTTP_AUTHORIZATION=self.not_owner_credentials) + response = owner_instance_view(request, pk='1') + self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN) |